taskhostw.exe

  • File Path: C:\Windows\system32\taskhostw.exe
  • Description: Host Process for Windows Tasks

Hashes

Type Hash
MD5 536B1BEBA7BF2037BF27CD5BC6654696
SHA1 BA99BA1DBFA64CE188AF7CB681751C7185DF77CA
SHA256 F58B368E051EF114719DB91E1E82DB81E8274A0C9F1286A39B00D9EBB6FDE330
SHA384 2E4501528E81073B00B6DCD58BF3266B34FC5A878AB4A28C10187BB15F5C1C76F698CF5E854213025CD08DB20FFC5388
SHA512 7496F32D2E3E36A89EB42721FCB17017671CE643E2B5EF921B0E2726C80A05D08AC531F1E085C54F2A10150ADF4543ABF33FBE5006FC2BF5A1771DC5DE368C79
SSDEEP 1536:e0Je6hPDm9RsbcpHyxlLfE3RMaapRYJVC6XA+pfhNHrg8K6iSzyegZhP9:V465LbcJyxlLfE3RMRSXA+pfjg8K6+Tx
IMP 3A0C6863CDE566AF997DB2DEFFF9D924
PESHA1 41332FF5547305DA5BAE792C7F1CA84EC0FC8345
PE256 52C88862BBAACA55226F08A09E61563E15E679A5A2C5B505FF176A4B9ACE4C61

Runtime Data

Loaded Modules:

Path
C:\Windows\System32\combase.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\OLEAUT32.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\system32\taskhostw.exe
C:\Windows\System32\ucrtbase.dll

Signature

  • Status: Signature verified.
  • Serial: 330000026551AE1BBD005CBFBD000000000265
  • Thumbprint: E168609353F30FF2373157B4EB8CD519D07A2BFF
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: taskhostw.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/68
  • VirusTotal Link: https://www.virustotal.com/gui/file/f58b368e051ef114719db91e1e82db81e8274a0c9f1286a39b00d9ebb6fde330/detection/

File Similarity (ssdeep match)

File Score
C:\Windows\system32\taskhostw.exe 44
C:\Windows\system32\taskhostw.exe 47
C:\Windows\system32\taskhostw.exe 44

Possible Misuse

The following table contains possible examples of taskhostw.exe being misused. While taskhostw.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma image_load_suspicious_vss_ps_load.yml - 'taskhostw.exe' DRL 1.0
sigma image_load_wmi_module_load.yml - '\windows\system32\taskhostw.exe' # c:\windows\system32\taskhostw.exe DRL 1.0
sigma proc_access_win_cred_dump_lsass_access.yml - 'C:\WINDOWS\system32\taskhostw.exe' DRL 1.0
sigma proc_access_win_in_memory_assembly_execution.yml - 'C:\WINDOWS\system32\taskhostw.exe' DRL 1.0
sigma proc_access_win_susp_proc_access_lsass.yml - 'C:\WINDOWS\system32\taskhostw.exe' DRL 1.0
atomic-red-team index.md - Atomic Test #5: Masquerading - powershell.exe running as taskhostw.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #5: Masquerading - powershell.exe running as taskhostw.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md - Atomic Test #5 - Masquerading - powershell.exe running as taskhostw.exe MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md ## Atomic Test #5 - Masquerading - powershell.exe running as taskhostw.exe MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md Copies powershell.exe, renames it, and launches it to masquerade as an instance of taskhostw.exe. MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md Upon successful execution, powershell.exe is renamed as taskhostw.exe and executed from non-standard path. MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\taskhostw.exe /Y MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md cmd.exe /K %APPDATA%\taskhostw.exe MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md del /Q /F %APPDATA%\taskhostw.exe >nul 2>&1 MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.